[gentoo-hardened] Incorrect contexts in /run revisited

[gentoo-hardened] Incorrect contexts in /run revisited

[Ben Pritchard]

Hello all

In March, I reported some issues with SELinux contexts in /run. (I seem
to have misplaced the email -- archive at
http://article.gmane.org/gmane.linux.gentoo.hardened/6180).

It look like Sven added the functionality a few months ago, and it is
available in version 2.20140311-r5 (currently ~arch).

Note 1: There are a few pacakges that need this implemented. Fail2ban
is one on my machine. Should I file a bug report (probably against
sec-policy/selinux-fail2ban)?

Note 2: There's possibly a bug in the new tmpfiles module
(policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath
should have context tmpfiles_exec_t. Again, this seems to make several
directories (and maybe files) in /run have context var_run_t.

What I think is happening is that init_daemon_pid_file() only allows
transitions for the initrc_t domain, and checkpath is no longer running in
that domain. Therefore, the file transition from var_run_t to whatever
type is specified as the first argument in init_daemon_pid_file is
not done.

Changing the context of /lib/rc/bin/checkpath to bin_t makes many more
of the files in /run have the correct context again on boot.

(perhaps this belongs on the selinux mailing list?)

Thanks

-- 
Ben Pritchard

Re: [gentoo-hardened] Incorrect contexts in /run revisited

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 1684 bytes --]

I think that the call to init_daemon_pidfile is probably missing a context
definition in the .fc file for those locations that checkpath is enforcing.

You can file a bug for this (a single bug is fine, we don't need one for
every missing definition). We will upstream it when  appropriate.

Wkr
  Sven
On Aug 16, 2014 9:46 PM, "Ben Pritchard" <ben@bennyp.org> wrote:

> Hello all
>
> In March, I reported some issues with SELinux contexts in /run. (I seem
> to have misplaced the email -- archive at
> http://article.gmane.org/gmane.linux.gentoo.hardened/6180).
>
> It look like Sven added the functionality a few months ago, and it is
> available in version 2.20140311-r5 (currently ~arch).
>
> Note 1: There are a few pacakges that need this implemented. Fail2ban
> is one on my machine. Should I file a bug report (probably against
> sec-policy/selinux-fail2ban)?
>
> Note 2: There's possibly a bug in the new tmpfiles module
> (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath
> should have context tmpfiles_exec_t. Again, this seems to make several
> directories (and maybe files) in /run have context var_run_t.
>
> What I think is happening is that init_daemon_pid_file() only allows
> transitions for the initrc_t domain, and checkpath is no longer running in
> that domain. Therefore, the file transition from var_run_t to whatever
> type is specified as the first argument in init_daemon_pid_file is
> not done.
>
> Changing the context of /lib/rc/bin/checkpath to bin_t makes many more
> of the files in /run have the correct context again on boot.
>
> (perhaps this belongs on the selinux mailing list?)
>
> Thanks
>
> --
> Ben Pritchard
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 2184 bytes --]

Re: [gentoo-hardened] Incorrect contexts in /run revisited

[Jason Zaman]

On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote:
> Hello all
> 
> In March, I reported some issues with SELinux contexts in /run. (I seem
> to have misplaced the email -- archive at
> http://article.gmane.org/gmane.linux.gentoo.hardened/6180).
> 
> It look like Sven added the functionality a few months ago, and it is
> available in version 2.20140311-r5 (currently ~arch).

I actually fixed this, its a problem with OpenRC not with SELinux per-se

https://bugs.gentoo.org/show_bug.cgi?id=516956

Checkpath now does a restorecon when it creates things, it will be in
openRC-0.13 which is not yet released. Can you test openrc-9999 (it has
all the fixes in it and is quite close to release).
> 
> Note 1: There are a few pacakges that need this implemented. Fail2ban
> is one on my machine. Should I file a bug report (probably against
> sec-policy/selinux-fail2ban)?
> 
> Note 2: There's possibly a bug in the new tmpfiles module
> (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath
> should have context tmpfiles_exec_t. Again, this seems to make several
> directories (and maybe files) in /run have context var_run_t.

The tmpfiles module goes along with the new OpenRC the current stable
(0.12) is missing the relabel parts.

> What I think is happening is that init_daemon_pid_file() only allows
> transitions for the initrc_t domain, and checkpath is no longer running in
> that domain. Therefore, the file transition from var_run_t to whatever
> type is specified as the first argument in init_daemon_pid_file is
> not done.
> 
> Changing the context of /lib/rc/bin/checkpath to bin_t makes many more
> of the files in /run have the correct context again on boot.

Can you try OpenRC-0.13 and have checkpath and tmpfiles.sh with the
tmpfiles labels and see if that fixes it.

If that does not fix it, we will need to add in fcontexts for things,
filing bugs would be great :)

> (perhaps this belongs on the selinux mailing list?)

No, this is gentoo related (for now at least, we're working on
upstreaming it)

-- Jason

Re: [gentoo-hardened] Incorrect contexts in /run revisited

[Ben Pritchard]

Thanks, that fixed a lot of it. Sven's answer makes a bit more sense
now :)

The only ones remaining (for me anyway) don't seem to be related to file
contexts (ie, fail2ban is still incorrect, since it doesn't use
start-stop-daemon -- it's just missing the init_daemon_pid_file),
so there may be a few reports coming your way.


Thanks for the help
-- 
Ben Pritchard


On Sun, Aug 17, 2014 at 12:01:51AM +0400, Jason Zaman wrote:
> On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote:
> > Hello all
> > 
> > In March, I reported some issues with SELinux contexts in /run. (I seem
> > to have misplaced the email -- archive at
> > http://article.gmane.org/gmane.linux.gentoo.hardened/6180).
> > 
> > It look like Sven added the functionality a few months ago, and it is
> > available in version 2.20140311-r5 (currently ~arch).
> 
> I actually fixed this, its a problem with OpenRC not with SELinux per-se
> 
> https://bugs.gentoo.org/show_bug.cgi?id=516956
> 
> Checkpath now does a restorecon when it creates things, it will be in
> openRC-0.13 which is not yet released. Can you test openrc-9999 (it has
> all the fixes in it and is quite close to release).
> > 
> > Note 1: There are a few pacakges that need this implemented. Fail2ban
> > is one on my machine. Should I file a bug report (probably against
> > sec-policy/selinux-fail2ban)?
> > 
> > Note 2: There's possibly a bug in the new tmpfiles module
> > (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath
> > should have context tmpfiles_exec_t. Again, this seems to make several
> > directories (and maybe files) in /run have context var_run_t.
> 
> The tmpfiles module goes along with the new OpenRC the current stable
> (0.12) is missing the relabel parts.
> 
> > What I think is happening is that init_daemon_pid_file() only allows
> > transitions for the initrc_t domain, and checkpath is no longer running in
> > that domain. Therefore, the file transition from var_run_t to whatever
> > type is specified as the first argument in init_daemon_pid_file is
> > not done.
> > 
> > Changing the context of /lib/rc/bin/checkpath to bin_t makes many more
> > of the files in /run have the correct context again on boot.
> 
> Can you try OpenRC-0.13 and have checkpath and tmpfiles.sh with the
> tmpfiles labels and see if that fixes it.
> 
> If that does not fix it, we will need to add in fcontexts for things,
> filing bugs would be great :)
> 
> > (perhaps this belongs on the selinux mailing list?)
> 
> No, this is gentoo related (for now at least, we're working on
> upstreaming it)
> 
> -- Jason
>